index_48
Router Security Configuration Guide
UNCLASSIFIED
48
UNCLASSIFIED
Version 1.0g
4.1.2. Router Software Versions
Cisco issues new IOS versions and upgrades fairly frequently; making it an
administrative nightmare to keep all the routers on a large network up to date. Newer
versions of IOS fix bugs and vulnerabilities that existed in the older versions, and add
new security features. Keep your IOS as up to date as is practical. A second problem
is that the early versions of new IOS releases can be less robust than more mature,
later versions (i.e. 12.0.1 was an early version of IOS Release 12, while 12.0.9 was a
mature version of Release 12). A good approach to this problem is to maintain
operational routers with recent, but not cutting-edge, Cisco IOS releases. This will
allow others to find the bugs in the newer versions (and get them fixed). The
recommended minimum IOS release is IOS 11.3. The recommended newest release
would be the most recent GD version that is at least a month old (at the time of this
writing, 12.0.12). To check your IOS version, log in and enter the command show
version. For more details on IOS upgrades, see Sections 4.5 and 8.3.
4.1.3. Router Configuration and Commands (IOS)
After connecting to a router and initially logging in, the system is in user mode also
known as EXEC mode. EXEC mode gives limited access to the command set of the
router. Access to all the router commands, including the ability to change the
configuration, is reserved for the privileged EXEC mode. Typing the enable
command at an EXEC mode prompt will give access to the privileged EXEC mode.
Privileged EXEC mode is sometimes called enable mode.
There are several configuration modes on a Cisco router. To enter the global
configuration mode (config) type the command configure terminal , commonly
abbreviated config t. In the global configuration mode a wide variety of overall
router features and settings can be changed: banners, authentication systems, access
lists, logging, routing protocols, and much more. There are sub-modes which are
used to configure specific settings for interfaces, lines, routing protocols, etc. The list
below describes some of the sub-modes.
§ interface (config-if) is used to configure aspects of a particular interface
like FastEthernet0, Ethernet 0/1, or Vlan2.
§ line (config-line) is used to set up the console port, auxiliary port and
virtual terminal lines.
§ access-list: There are two types of IP named access lists, extended
(config-ext-n) and standard (config-std-n), which can be used instead of
numbered lists. Access-list mode is used for building named access lists.
§ route (config-route) is where specific parameters can be set and modified
for a selected routing protocol.
In addition to the standard authentication, authorization, and logging router functions,
Cisco IOS 11.1 and later offer a comprehensive model for authentication,
authorization, and accounting (AAA), the so-called new model. See Section 4.1.6
for a brief description and Section 4.6 for more details.